Home
Seta
Updated Integrity Guidelines for Private Companies

04/12/2024

Updated Integrity Guidelines for Private Companies

Compliance and Corporate Investigations
Filipe Batich
Partner
Rhasmye El Rafih
Associate

The Office of the Comptroller General of the Union (CGU) has recently published an addendum to the Integrity Guidelines for private companies, initially launched in 2015.

Purpose of the publication

To clarify and update recommendations for the implementation and enhancement of Integrity Programs considering:

  • Decree No. 1,.129/2022, which regulates Law No. 12,846/2013 (Anti-Corruption Law)
  • New legislation, particularly Law No. 14,133/2021 (Public Procurement Law)
  • Best practices, including ESG (environmental, social, and governance) criteria

Key updates

  • Definition of Integrity Program: Emphasizes prevention and the need to maintain an organizational culture of integrity beyond anti-corruption measures, addressing issues such as prevention of harassment, respect for human and social rights, and environmental preservation.
  • Reasons to implement an Integrity Program: Reinforces the adoption and application of the Integrity Program as:
    • A criterion for mitigating fines stated on Law No. 12,846/2013 (art. 23, V, Decree No. 11,129/2022)
    • An element considered in the imposition of sanctions under Law No. 14,133/2021 (art. 156, §1º, Law No. 14,133/2021)
    • A tie-breaking criterion in public tenders (art. 60, IV, Law No. 14,133/2021)
    • A requirement for entering into large-scale contracts with the Public Administration (art. 25, §4º, Law No. 14,133/2021)
    • A condition for the rehabilitation of disqualified bidders or contractors (art. 163, p. ún., Law No. 14,133/2021)
    • A best practice for securing investments and contracting business partners
    • A means to reduce reputational risks
    • A strategy to minimize risks of wrongdoings

Corporate governance

  • Require a well-defined structure of direction and control, with clearly delineated and accessible competencies and responsibilities.
  • Disclose the composition of groups, structures of control, and the relationship between parent and subsidiary companies, when applicable.
  • Evaluate whether governance structures are adequate to size, activities, and regulatory standards.
  • Analyze whether duties and responsibilities are sufficiently detailed in corporate documents and disclosed within the organization.
  • Ensure there are supervision mechanisms for the Integrity Program.
  • Verify the possibility of diversifying the composition of governance bodies.
  • Disclose on websites the governance structure, occupants, positions, and respective qualifications.

Role of leadership

  • Reflected in the selection process for senior management positions (hiring individuals without a history of irregularities).
  • In the evaluation and remuneration of leadership (performance goals linked to the Integrity Program).
  • In the qualification of leaders (considering the level of knowledge about anti-corruption policy and ESG criteria and training for senior management).
  • In leadership communication (clear, frequent, and practice-reflected statements).
  • In resources allocated to the implementation and application of the Integrity Program (financial and human resources compatible with the organization’s size and activity risks).
  • In the proper application of sanctions (absence of omission or connivance with irregularities, proportional disciplinary measures to the severity, etc.).

Instance responsible for the Integrity Program

  • Have a specific department for large companies and/or highly regulated sectors, or a single responsible person in small structures, preferably without outsourcing these functions (outsourcing support activities such as hotline channels, training, and risk assessments are not covered by this exception).
  • Establish specific duties (e.g., risk assessment, implementation of policies, dissemination of the integrity culture, participation in internal investigations, monitoring, reporting to senior management, etc.).
  • Foster a culture of formalization.
  • Designate a responsible person with higher education and experience in risk management, regulation, and internal controls.
  • Ensure the responsible person participates effectively in the budget preparation for the area and that he/she holds a high-level position.
  • In companies with a Board of Directors, ensure the compliance officer reports directly to the Board or an advisory committee, preferably chaired by an independent member.
  • Provide for the production of periodic reporting on risks and measures taken to mitigate them, with data and statistics on policy application, irregularities detected by internal controls, and reports received and investigated.
  • Senior management should supervise the instance responsible for the Integrity Program and subject it to indicators, goals, and internal audits, when applicable.
  • In multinationals, adopt a responsible instance in Brazil to ensure the program’s application according to Brazilian reality, with the respective translation and adaptation of the main policies to local legislation, conducting communication actions, training, and reporting channels that allow interactions in Portuguese.
  • In economic groups, clarify which instances are responsible for implementing, applying, and monitoring the program in each company, delineating the hierarchy and forms of interaction between the group’s instances.

Risk Management

  • Periodically identify integrity risks (including in routine situations and considering the ESG aspects), classify them according to probability and impact, prioritize them, and define mitigating measures, with designated responsible individuals (preferably coordinated by the individual responsible for the Integrity Program and supervised by senior management) and an implementation schedule.

Conduct Standards

  • Implement a Code of Ethics and other integrity policies (e.g., relationship with the public sector, gifts & presents, hiring third parties, donations, and sponsorships), depending on the mapped risks. It is recommended that the Code of Ethics be formally approved by senior management and easily accessible on the organization’s website, with minimum content including topics: anti-corruption, anti-fraud, respect for human rights, environmental responsibility, intolerance of all forms of harassment and discrimination, promotion of diversity, prohibition of child labor and analogous to slavery, reporting channels, whistleblower protection, and application of sanctions. Policies should present rules, flows, and procedures, indicating those responsible for their application and control.

Training and communication

  • Develop specific and risk-based training, combining various formats (educational videos, online and in-person training, interactivity).
  • Evaluate the impact (e.g., statistics, tests, surveys of perception) and effectiveness (e.g., prevention of irregularities, incentives and protections to report, greater contact with compliance) of training.
  • Communications aimed at encouraging and recognizing ethical behavior, respect for human rights and diversity, and the pursuit of sustainable environmental practices, reflecting in leadership actions and business conduct.

Accounting controls

  • Choose technological solutions and computerized systems for records and implement robust and reliable procedures for accounting records, with:
    • Workflow of records
    • Segregation of activities
    • Approval levels and alert mechanisms to identify out-of-standard expenses and revenues
    • Check the compliance with the clauses of the contract before payment
    • Independent internal and/or external audit

Third parties

  • Classify the risk of the potential third party after conducting due diligence.
  • Periodically supervise third parties, depending on the contract term and the contractor’s risk profile.
  • Adopt anti-corruption and human, labor, and social rights clauses in contracts, with sanctions for non-compliance.
  • Implement policies and procedures for hiring third parties considering the above points.

M&A

  • Conduct preliminary due diligence, including anti-corruption issues.
  • In case of frequent operations, implement policies that define the measures adopted for the continuation or interruption of the operation in case of detection of irregularities and the role of the individual responsible for the Integrity Program in this decision.

Detection of wrongdoings

  • Provide hotline channels in Portuguese, accessible to internal and external audiences, separately from customer service, ensuring protection to the whistleblower (e.g., non-retaliation, anonymity, and confidentiality) and mechanisms that ensure the whistleblower can follow up on the report, to provide transparency and credibility in the investigation process.
  • Implement a policy for internal investigations, indicating those responsible for it.
  • Establish specific flows for internal investigations when senior management is involved to avoid interference.
  • Have routines to stop wrongdoings.
  • Periodically disclose general information about internal investigations and application of sanctions internally, without exposing individuals or situations.
  • Preserve pieces of evidence of irregularities for possible collaboration with authorities.

Monitoring

  • Develop a monitoring plan.
  • Define those responsible for monitoring and the need for participation of the individuals responsible for the Integrity Program
  • Define periodicity in monitoring.
  • Standardize the form and periodicity of presenting information and data.
  •  Share monitoring results with senior management.
  • Use performance indicators and goals linked to the program.
  • Conduct surveys to assess employees’ knowledge and engagement with the program and the perception of employees and third parties about senior management’s commitment and integrity culture.
  • Document and record the entire monitoring process.

Why is the Guide important for your business?

The complementary guide offers new guidelines for companies to implement or improve their Integrity Program in compliance with the latest legislation and best practices. Implementing the CGU’s recommendations can also contribute to a better perception or evaluation of the Integrity Program’s effectiveness by public regulatory and control bodies, including in the sanctioning sphere, and by private agents with whom your company intends to establish or maintain commercial relations.